10.2 Fraud risk assessment & prevention programs

Key Takeaways

  • A fraud risk assessment identifies inherent fraud risks first, rates their likelihood and significance, maps them to controls, and evaluates residual risk.
  • Tips are the number-one fraud detection method (about 42–43% of cases), which makes an anonymous, well-publicized hotline the single most valuable control.
  • The ACFE/COSO Fraud Risk Management Guide sets out five principles — governance, risk assessment, control activity, investigation/corrective action, and monitoring.
  • Prevention programs need a written anti-fraud policy, code of conduct, training, a fraud response plan, and whistleblower protections.
  • Deterrence comes largely from the perceived probability of detection, so publicizing controls and disciplining offenders reduces fraud beyond the controls themselves.
Last updated: July 2026

From Detection to Prevention

Detecting fraud after it happens is costly; preventing it is far cheaper. The ACFE's Report to the Nations consistently finds that a typical organization loses roughly 5% of revenue to fraud each year and that the median scheme runs about 12 months before it is caught. Because most losses are never fully recovered, a mature anti-fraud program shifts emphasis toward prevention and deterrence. Two pillars support that shift: a rigorous fraud risk assessment and a formal fraud risk management program.

The Fraud Risk Assessment

A fraud risk assessment is a structured process to identify and address an organization's vulnerability to internal and external fraud. It differs from a general risk assessment because it focuses specifically on the ways the entity could be defrauded. The core steps are:

  • Identify inherent fraud risks. Brainstorm the universe of potential schemes before considering controls — inherent risk is the exposure that exists naturally. Frame risks in the major categories: fraudulent financial reporting, asset misappropriation, and corruption, plus regulatory and other illegal acts. The fraud triangle (pressure, opportunity, rationalization) helps surface where incentives and openings exist.
  • Assess likelihood and significance. Rate each risk on how likely it is to occur and how significant (material) the impact would be. This lets the team prioritize: a low-likelihood, low-impact risk warrants less investment than a high-likelihood, high-impact one.
  • Identify who and how. Determine which people, departments, or units could perpetrate each scheme and how they would override or circumvent existing controls, including management override.
  • Map existing controls to risks. Link each significant inherent risk to the preventive and detective controls that address it, and evaluate whether those controls are designed and operating effectively.
  • Evaluate residual risk and respond. The risk that remains after controls is the residual risk. Management then decides to accept, avoid, transfer, or further mitigate it — usually by adding or strengthening controls.

The assessment should be collaborative (drawing on operational staff, not just auditors), iterative (repeated as the business changes), and owned by management with board oversight.

The Fraud Risk Management Program

The ACFE/COSO Fraud Risk Management Guide (first published 2016, updated 2023) is the authoritative framework. It defines five principles that map directly onto COSO's five internal-control components:

PrincipleRequirement
1. Fraud risk governanceEstablish a fraud risk management policy as part of organizational governance
2. Fraud risk assessmentPerform comprehensive fraud risk assessments to identify specific schemes and risks
3. Fraud control activitySelect, develop, and deploy preventive and detective fraud control activities
4. Fraud investigation and corrective actionEstablish a reporting process and a coordinated approach to investigation and corrective action
5. Fraud risk management monitoringConduct ongoing evaluations to confirm all five principles are present and functioning, and report deficiencies

An effective program built on these principles includes a written anti-fraud policy and code of conduct, visible commitment from senior leadership, fraud-awareness training, a fraud response plan describing how allegations are investigated, and whistleblower protections that shield reporters from retaliation.

Reporting Mechanisms: The Power of Tips

The most valuable single control an organization can deploy is a reporting mechanism — a hotline. The ACFE finds that tips are the number-one detection method, uncovering roughly 42–43% of frauds — far more than internal audit, management review, or external audit. Employees provide the majority of tips, but customers, vendors, and anonymous sources contribute as well. Organizations with hotlines detect fraud more often by tip, detect it sooner, and suffer lower median losses than those without. Best-practice hotlines are:

  • Anonymous and confidential, to overcome fear of retaliation;
  • Independently operated (often by a third party) and available 24/7 in multiple languages;
  • Widely publicized through training and multiple channels (phone, web, email);
  • Backed by an anti-retaliation policy and a documented triage and escalation process.

Proactive Detection Measures

Beyond passive reporting, leading organizations deploy proactive detection to shrink the roughly 12-month duration of the typical scheme. Data analytics and continuous monitoring test entire populations of transactions for red flags — duplicate payments, round-dollar amounts, vendors that share an address with an employee, or entries posted outside business hours. Surprise audits, though used by only a minority of organizations, are associated with substantially lower losses and faster detection because employees cannot predict and prepare for them. Job rotation and mandatory vacations force a second person to handle a potential fraudster's duties and often expose ongoing concealment. Rounding out a prevention program are recurring anti-fraud training, robust pre-employment background checks, and disciplinary consequences applied consistently regardless of an offender's rank or tenure.

Ethics, Culture, and Deterrence

A program's rules only work inside a healthy culture. A strong code of ethics, ethics training, and a demonstrated willingness to discipline wrongdoers create deterrence — potential offenders perceive a higher probability of detection and punishment, raising the "cost" side of their rationalization. The perception of detection is often a more powerful deterrent than the controls themselves. That is why publicizing the hotline, conducting surprise audits, and communicating that violations are punished consistently all reduce fraud even when the underlying control activity is unchanged. Prevention, in short, is as much about culture and communication as it is about procedures.

Test Your Knowledge

According to the ACFE’s Report to the Nations, which is the most common method by which occupational fraud is detected?

A
B
C
D
Test Your Knowledge

In a fraud risk assessment, "inherent fraud risk" is best described as the exposure that exists:

A
B
C
D
Test Your Knowledge

The ACFE/COSO Fraud Risk Management Guide is built on how many principles, and what is the FIRST one?

A
B
C
D